Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

ytnef: Multiple Vulnerabilities — GLSA 202405-24

Multiple vulnerabilities have been discovered in ytnef, the worst of which could potentially lead to remote code execution.

Affected packages

Package net-mail/ytnef on all architectures
Affected versions < 2.0
Unaffected versions >= 2.0

Background

ytnef is a TNEF stream reader for reading winmail.dat files.

Description

The TNEFSubjectHandler function in lib/ytnef.c allows remote attackers to cause a denial-of-service (and potentially code execution) due to a double free which can be triggered via a crafted file. The SwapWord function in lib/ytnef.c allows remote attackers to cause a denial-of-service (and potentially code execution) due to a heap buffer overflow which can be triggered via a crafted file.

Impact

Please review the referenced CVE identifiers for details.

Workaround

There is no known workaround at this time.

Resolution

All ytnef users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=net-mail/ytnef-2.0"

References

Release date
May 08, 2024

Latest revision
May 08, 2024: 1

Severity
normal

Exploitable
remote

Bugzilla entries